| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20161225212023.GB26891@amd>
Date: Sun, 25 Dec 2016 22:20:24 +0100
From: Pavel Machek <pavel@....cz>
To: David Howells <dhowells@...hat.com>
Cc: keyrings@...r.kernel.org, matthew.garrett@...ula.com,
linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 01/16] Add the ability to lock down access to the running
kernel image
Hi!
> allow the running kernel image to be changed including the loading of
> modules that aren't validly signed with a key we recognise, fiddling with
> MSR registers and disallowing hibernation,
"." at EOL.
> @@ -158,6 +158,21 @@ config HARDENED_USERCOPY_PAGESPAN
> been removed. This config is intended to be used only while
> trying to find such users.
>
> +config LOCK_DOWN_KERNEL
> + bool "Allow the kernel to be 'locked down'"
Locked down, or 'locked down' ? :-).
> + help
> + Allow the kernel to be locked down under certain circumstances, for
> + instance if UEFI secure boot is enabled. Locking down the kernel
> + turns off various features that might otherwise allow access to the
> + kernel image (eg. setting MSR registers).
I'd add something that clarifies it is "running" kernel image.
> +config ALLOW_LOCKDOWN_LIFT
> + bool
Don't you need to add 'bool "something"' so that user can actually
select this?
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)
Powered by blists - more mailing lists